… interesting tidbits of release engineering.

Modern ssh comes with the option to obfuscate the hosts it can connect
to, by enabling the HashKnownHosts option. Modern server installs
have that as a default. This is a good thing.

The obfuscation occurs by hashing the first field of the known_hosts
file - this field contains the hostname,port and IP address used to
connect to a host. Presumably, there is a private ssh key on the host
used to make the connection, so this process makes it harder for an
attacker to utilize those private keys if the server is ever
compromised.

Super! Nifty! Now how do I audit those files? Some services have
multiple IP addresses that serve a host, so some updates and changes are
legitimate. But which ones? It’s a one way hash, so you can’t decode.

Well, if you had an unhashed copy of the file, you could match host keys
and determine the host name & IP. [1] You might just have such a file on
your laptop (at least I don’t hash keys locally). [2] (Or build a
special file by connecting to the hosts you expect with the options “-oHashKnownHosts=no-oUserKnownHostsFile=/path/to/new_master”.)

I through together a quick python script to do the matching, and it’s at
this gist. I hope it’s useful - as I find bugs, I’ll keep it updated.

As much as GMail’s search syntax makes me long for PCRE, there are some
unobvious gems laying around.

For example, I get tons of mail about releases. Occasionally, I need to
monitor a given release, paying attention to not only the automated
progress, but also human generated emails as well. Here’s my current
setup: